80,865 research outputs found
LightBox: Full-stack Protected Stateful Middlebox at Lightning Speed
Running off-site software middleboxes at third-party service providers has
been a popular practice. However, routing large volumes of raw traffic, which
may carry sensitive information, to a remote site for processing raises severe
security concerns. Prior solutions often abstract away important factors
pertinent to real-world deployment. In particular, they overlook the
significance of metadata protection and stateful processing. Unprotected
traffic metadata like low-level headers, size and count, can be exploited to
learn supposedly encrypted application contents. Meanwhile, tracking the states
of 100,000s of flows concurrently is often indispensable in production-level
middleboxes deployed at real networks.
We present LightBox, the first system that can drive off-site middleboxes at
near-native speed with stateful processing and the most comprehensive
protection to date. Built upon commodity trusted hardware, Intel SGX, LightBox
is the product of our systematic investigation of how to overcome the inherent
limitations of secure enclaves using domain knowledge and customization. First,
we introduce an elegant virtual network interface that allows convenient access
to fully protected packets at line rate without leaving the enclave, as if from
the trusted source network. Second, we provide complete flow state management
for efficient stateful processing, by tailoring a set of data structures and
algorithms optimized for the highly constrained enclave space. Extensive
evaluations demonstrate that LightBox, with all security benefits, can achieve
10Gbps packet I/O, and that with case studies on three stateful middleboxes, it
can operate at near-native speed.Comment: Accepted at ACM CCS 201
Carpooling Liability?: Applying Tort Law Principles to the Joint Emergence of Self-Driving Automobiles and Transportation Network Companies
Self-driving automobiles have emerged as the future of vehicular travel, but this innovation is not developing in isolation. Simultaneously, the popularity of transportation network companies functioning as ride-hailing and ride-sharing services have altered traditional conceptions of personal transportation. Technology companies, conventional automakers, and start-up businesses each play significant roles in fundamentally transforming transportation methods. These transformations raise numerous liability questions. Specifically, the emergence of self-driving vehicles and transportation network companies create uncertainty for the application of tort law’s negligence standard. This Note addresses technological innovations in vehicular transportation and their accompanying legislative and regulatory developments. Then, this Note discusses the implications for vicarious liability for vehicle owners, duties of care for vehicle operators, and corresponding insurance regimes. This Note also considers theoretical justifications for tort concepts including enterprise liability. Accounting for the inevitable uncertainty in applying tort law to new invention, this Note proposes a strict and vicarious liability regime with corresponding no-fault automobile insurance
Detection of Early-Stage Enterprise Infection by Mining Large-Scale Log Data
Recent years have seen the rise of more sophisticated attacks including
advanced persistent threats (APTs) which pose severe risks to organizations and
governments by targeting confidential proprietary information. Additionally,
new malware strains are appearing at a higher rate than ever before. Since many
of these malware are designed to evade existing security products, traditional
defenses deployed by most enterprises today, e.g., anti-virus, firewalls,
intrusion detection systems, often fail at detecting infections at an early
stage.
We address the problem of detecting early-stage infection in an enterprise
setting by proposing a new framework based on belief propagation inspired from
graph theory. Belief propagation can be used either with "seeds" of compromised
hosts or malicious domains (provided by the enterprise security operation
center -- SOC) or without any seeds. In the latter case we develop a detector
of C&C communication particularly tailored to enterprises which can detect a
stealthy compromise of only a single host communicating with the C&C server.
We demonstrate that our techniques perform well on detecting enterprise
infections. We achieve high accuracy with low false detection and false
negative rates on two months of anonymized DNS logs released by Los Alamos
National Lab (LANL), which include APT infection attacks simulated by LANL
domain experts. We also apply our algorithms to 38TB of real-world web proxy
logs collected at the border of a large enterprise. Through careful manual
investigation in collaboration with the enterprise SOC, we show that our
techniques identified hundreds of malicious domains overlooked by
state-of-the-art security products
Online VNF Scaling in Datacenters
Network Function Virtualization (NFV) is a promising technology that promises
to significantly reduce the operational costs of network services by deploying
virtualized network functions (VNFs) to commodity servers in place of dedicated
hardware middleboxes. The VNFs are typically running on virtual machine
instances in a cloud infrastructure, where the virtualization technology
enables dynamic provisioning of VNF instances, to process the fluctuating
traffic that needs to go through the network functions in a network service. In
this paper, we target dynamic provisioning of enterprise network services -
expressed as one or multiple service chains - in cloud datacenters, and design
efficient online algorithms without requiring any information on future traffic
rates. The key is to decide the number of instances of each VNF type to
provision at each time, taking into consideration the server resource
capacities and traffic rates between adjacent VNFs in a service chain. In the
case of a single service chain, we discover an elegant structure of the problem
and design an efficient randomized algorithm achieving a e/(e-1) competitive
ratio. For multiple concurrent service chains, an online heuristic algorithm is
proposed, which is O(1)-competitive. We demonstrate the effectiveness of our
algorithms using solid theoretical analysis and trace-driven simulations.Comment: 9 pages, 4 figure
Global state, local decisions: Decentralized NFV for ISPs via enhanced SDN
The network functions virtualization paradigm is rapidly gaining interest among Internet service providers. However, the transition to this paradigm on ISP networks comes with a unique set of challenges: legacy equipment already in place, heterogeneous traffic from multiple clients, and very large scalability requirements. In this article we thoroughly analyze such challenges and discuss NFV design guidelines that address them efficiently. Particularly, we show that a decentralization of NFV control while maintaining global state improves scalability, offers better per-flow decisions and simplifies the implementation of virtual network functions. Building on top of such principles, we propose a partially decentralized NFV architecture enabled via an enhanced software-defined networking infrastructure. We also perform a qualitative analysis of the architecture to identify advantages and challenges. Finally, we determine the bottleneck component, based on the qualitative analysis, which we implement and benchmark in order to assess the feasibility of the architecture.Peer ReviewedPostprint (author's final draft
- …